https://live.paloaltonetworks.com/t5/automation-api-discussions/general-help-with-custom-vulnerability-signature/m-p/4730#M112 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1579" data-externalid="" data-presence="null" data-userid="12314" data-username="SDorsey" href="https://live.paloaltonetworks.com/people/SDorsey" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">SDorsey</A></STRONG><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;">,</SPAN></P><P></P><P>Could you please try this:</P><P></P><P><IMG alt="FTP-custom-signature-2.JPG" class="image-0 jive-image" height="350" src="https://live.paloaltonetworks.com/legacyfs/online/15424_FTP-custom-signature-2.JPG" style="height: 349.66935483871px; width: 447px;" width="447" /></P><P><IMG alt="FTP-custom-signature-1.JPG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15425_FTP-custom-signature-1.JPG" style="height: 297px; width: 620px;" /></P><P></P><P><IMG alt="FTP-custom-signature.JPG" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/15426_FTP-custom-signature.JPG" style="height: 219px; width: 620px;" /></P><P></P><P>Thanks</P></BODY></HTML> Wed, 10 Sep 2014 07:34:48 GMT HULK 2014-09-10T07:34:48Z https://live.paloaltonetworks.com/t5/automation-api-discussions/general-help-with-custom-vulnerability-signature/m-p/4729#M111 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Can someone provide documentation and insight in regards to creating custom IPS signatures based on the follow scenario?</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Consider you have an FTP server. The USER command is vulnerable to buffer overflow. How does one create a custom signature to identify and block this activity? <SPAN style="font-size: 10pt; line-height: 1.5em;">The buffer and payload the attack sends could have 1000 variations.</SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">If the vulnerability is simple triggered by sending over 20 characters to it...</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">An attacker could send 100 A's. We could easily build a signature that watches for 100 \x41. But if they sent a payload of 100 \x42 and caused the crash, the custom signature would not match.</P></BODY></HTML> Tue, 09 Sep 2014 21:25:41 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/general-help-with-custom-vulnerability-signature/m-p/4729#M111 SDorsey 2014-09-09T21:25:41Z https://live.paloaltonetworks.com/t5/automation-api-discussions/general-help-with-custom-vulnerability-signature/m-p/4730#M112 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1579" data-externalid="" data-presence="null" data-userid="12314" data-username="SDorsey" href="https://live.paloaltonetworks.com/people/SDorsey" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">SDorsey</A></STRONG><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;">,</SPAN></P><P></P><P>Could you please try this:</P><P></P><P><IMG alt="FTP-custom-signature-2.JPG" class="image-0 jive-image" height="350" src="https://live.paloaltonetworks.com/legacyfs/online/15424_FTP-custom-signature-2.JPG" style="height: 349.66935483871px; width: 447px;" width="447" /></P><P><IMG alt="FTP-custom-signature-1.JPG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15425_FTP-custom-signature-1.JPG" style="height: 297px; width: 620px;" /></P><P></P><P><IMG alt="FTP-custom-signature.JPG" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/15426_FTP-custom-signature.JPG" style="height: 219px; width: 620px;" /></P><P></P><P>Thanks</P></BODY></HTML> Wed, 10 Sep 2014 07:34:48 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/general-help-with-custom-vulnerability-signature/m-p/4730#M112 HULK 2014-09-10T07:34:48Z